[VoiceOps] Fraud fun

Mark R Lindsey lindsey at e-c-group.com
Wed May 18 13:34:51 EDT 2011 

Cool use if iptables. There's definitely short-term tactical value in taking advantage of the signature "friend-scanner" -- 

But we also know that the SIPvicious user population is getting more sophisticated. 

-- At our clients, they've slowed their scanning rate so they're not longer causing overload attacks.

-- It's just a matter of time before they remove the string "friendly-scanner" from their SIP messages.


mark at ecg.co  |  +1-229-316-0013  |  http://ecg.co/lindsey



On May 18, 2011, at 12:46 PM, Alex Balashov wrote:

> Ghetto, but goes a long way in helping harden individual Asterisk servers on which one has no choice but to leave the SIP call agent open to the public Internet:
> 
> iptables -A INPUT -p UDP --dport 5060 -m string --string 'friendly-scanner' -j DROP
> 
> 
> On 05/18/2011 12:42 PM, Spencer wrote:
> 
>> I'm not sure what your requirements are but, we recently blocked all
>> non-ARIN IP space from reaching our registrars. We had something similar
>> happen and this has essentiallyeliminated the fraudulent calls we saw.
>> 
>> Thanks,
>> Spencer
>> 
>> ------------------------------------------------------------------------
>> Message: 1
>> Date: Tue, 17 May 2011 15:53:15 -0700
>> From: Darren Schreiber <d at d-man.org <mailto:d at d-man.org>>
>> To: "VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>"
>> <VoiceOps at voiceops.org <mailto:VoiceOps at voiceops.org>>
>> Subject: [VoiceOps] Fraud fun
>> Message-ID: <C9F84A6B.2097A%d at d-man.org <mailto:d at d-man.org>>
>> Content-Type: text/plain; charset="us-ascii"
>> 
>> Hi folks,
>> We have been hit twice in the past two days with calls to
>> 011-252-XXXXXXXX (calls to Somalia I believe, and the originating IP is
>> from Pakistan)
>> 
>> It's the same user each time, I think he had a weak password, but it
>> cost us over $100, which isn't too bad (we catch it quick) but I'd like
>> to get it closer to $0. :-)
>> 
>> Any good recommendations for IP ranges to block from incoming connections?
>> 
>> Thanks,
>> 
>> Darren Schreiber
>> CEO / Co-Founder
>> 
>> 2600hz | www.2600hz.com <http://www.2600hz.com><http://www.2600hz.com/>
>> sip:darren at 2600hz.com <mailto:darren at 2600hz.com>
>> tel:415-886-7901
>> 
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> <https://puck.nether.net/pipermail/voiceops/attachments/20110517/f0aaf5b7/attachment-0001.html>
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> VoiceOps mailing list
>> VoiceOps at voiceops.org
>> https://puck.nether.net/mailman/listinfo/voiceops
> 
> 
> -- 
> Alex Balashov - Principal
> Evariste Systems LLC
> 260 Peachtree Street NW
> Suite 2200
> Atlanta, GA 30303
> Tel: +1-678-954-0670
> Fax: +1-404-961-1892
> Web: http://www.evaristesys.com/
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops

More information about the VoiceOps mailing list